feat(access): during organization permission check, check to ensure user is logged on

!13
2024-05-29 06:22:24 +09:30
parent 26bea9edb2
commit 7f7f719731
9 changed files with 33 additions and 86 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,8 @@
+
+![GitLab Bugs](https://img.shields.io/gitlab/issues/open/nofusscomputing%2Fprojects%2Fdjango_template?labels=type%3A%3Abug&style=plastic&logo=gitlab&label=Bug%20Fixes%20Required&color=fc6d26)
+
+
+![GitLab Issues](https://img.shields.io/gitlab/issues/open/nofusscomputing%2Fprojects%2Fdjango_template?style=plastic&logo=gitlab&label=Issues&color=fc6d26)
+
+![Docker Pulls](https://img.shields.io/docker/pulls/nofusscomputing/django-template?style=plastic&logo=docker&color=0db7ed)
+
--- a/app/access/mixin.py
+++ b/app/access/mixin.py
@ -1,5 +1,5 @@

-from django.contrib.auth.mixins import PermissionRequiredMixin
+from django.contrib.auth.mixins import AccessMixin, PermissionRequiredMixin
 from django.contrib.auth.models import Group
 from django.core.exceptions import PermissionDenied
 from django.utils.functional import cached_property
@ -148,13 +148,16 @@ class OrganizationMixin():



-class OrganizationPermission(OrganizationMixin):
+class OrganizationPermission(AccessMixin, OrganizationMixin):
    """checking organization membership"""


    def dispatch(self, request, *args, **kwargs):
        self.request = request

+        if not request.user.is_authenticated:
+                return self.handle_no_permission()
+
        if hasattr(self, 'get_object'):

            if not self.has_permission() and not request.user.is_superuser:
--- a/app/access/tests/organization/test_organizaiton_permission.py
+++ b/app/access/tests/organization/test_organizaiton_permission.py
@ -172,7 +172,7 @@ class OrganizationPermissions(TestCase):

        response = client.get(url)

-        assert response.status_code == 403
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_organization_auth_view_no_permission_denied(self):
@ -326,11 +326,7 @@ class OrganizationPermissions(TestCase):

        response = client.patch(url, data={'device': 'device'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_organization_auth_change_no_permission_denied(self):
--- a/app/access/tests/test_auth_app_structure.py
+++ b/app/access/tests/test_auth_app_structure.py
@ -34,30 +34,7 @@ def test_require_login_organizations():

    response = client.get(url)

-    assert response.status_code == 302
-
-@pytest.mark.skip(reason="to be re-written for orgmixin")
-@pytest.mark.django_db
-def test_require_login_organization_pk(organization):
-    """Ensure login is required to view an organization"""
-    client = Client()
-    url = reverse('Access:_organization', kwargs={'organization_id': 1})
-
-    response = client.get(url)
-
-    assert response.status_code == 302
-
-
-@pytest.mark.django_db
-def test_login_view_organizations_no_permission(user):
-    """Some docstring defining what the test is checking."""
-    client = Client()
-    url = reverse('Access:Organizations')
-    client.force_login(user)
-
-    response = client.get(url)
-
-    assert response.status_code == 403
+    assert response.status_code == 302 and response.url.startswith('/account/login')


@pytest.mark.skip(reason="to be written")
--- a/app/access/views/organization.py
+++ b/app/access/views/organization.py
@ -1,5 +1,4 @@
 from django.contrib.auth import decorators as auth_decorator
-from django.contrib.auth.mixins import LoginRequiredMixin
 from django.utils.decorators import method_decorator
 from django.views import generic

@ -9,7 +8,9 @@ from access.models import *


 class IndexView(OrganizationPermission, generic.ListView):
-    permission_required = 'access.view_organization'
+    permission_required = [
+        'access.view_organization'
+    ]
    template_name = 'access/index.html.j2'
    context_object_name = "organization_list"

@ -64,12 +65,12 @@ class View(OrganizationPermission, generic.UpdateView):



-class Change(LoginRequiredMixin, OrganizationPermission, generic.DetailView):
+class Change(OrganizationPermission, generic.DetailView):
    pass



-class Delete(LoginRequiredMixin, OrganizationPermission, generic.DetailView):
+class Delete(OrganizationPermission, generic.DetailView):
    pass


--- a/app/itam/tests/device/test_device_permission.py
+++ b/app/itam/tests/device/test_device_permission.py
@ -171,7 +171,7 @@ class DevicePermissions(TestCase):

        response = client.get(url)

-        assert response.status_code == 403
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_device_auth_view_no_permission_denied(self):
@ -235,11 +235,7 @@ class DevicePermissions(TestCase):

        response = client.put(url, data={'device': 'device'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')

    # @pytest.mark.skip(reason="ToDO: figure out why fails")
    def test_device_auth_add_no_permission_denied(self):
@ -320,11 +316,7 @@ class DevicePermissions(TestCase):

        response = client.patch(url, data={'device': 'device'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_device_auth_change_no_permission_denied(self):
@ -420,11 +412,7 @@ class DevicePermissions(TestCase):

        response = client.delete(url, data={'device': 'device'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_device_auth_delete_no_permission_denied(self):
--- a/app/itam/tests/operating_system/test_operating_system_permission.py
+++ b/app/itam/tests/operating_system/test_operating_system_permission.py
@ -171,7 +171,7 @@ class OperatingSystemPermissions(TestCase):

        response = client.get(url)

-        assert response.status_code == 403
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_operating_system_auth_view_no_permission_denied(self):
@ -235,11 +235,7 @@ class OperatingSystemPermissions(TestCase):

        response = client.put(url, data={'operating_system': 'operating_system'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')

    # @pytest.mark.skip(reason="ToDO: figure out why fails")
    def test_operating_system_auth_add_no_permission_denied(self):
@ -320,12 +316,7 @@ class OperatingSystemPermissions(TestCase):

        response = client.patch(url, data={'operating_system': 'operating_system'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
-
+        assert response.status_code == 302 and response.url.startswith('/account/login')

    def test_operating_system_auth_change_no_permission_denied(self):
        """ Ensure permission view cant make change
@ -420,11 +411,7 @@ class OperatingSystemPermissions(TestCase):

        response = client.delete(url, data={'operating_system': 'operating_system'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_operating_system_auth_delete_no_permission_denied(self):
--- a/app/itam/tests/software/test_software_permission.py
+++ b/app/itam/tests/software/test_software_permission.py
@ -171,7 +171,7 @@ class SoftwarePermissions(TestCase):

        response = client.get(url)

-        assert response.status_code == 403
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_software_auth_view_no_permission_denied(self):
@ -235,11 +235,7 @@ class SoftwarePermissions(TestCase):

        response = client.put(url, data={'software': 'software'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')

    # @pytest.mark.skip(reason="ToDO: figure out why fails")
    def test_software_auth_add_no_permission_denied(self):
@ -320,11 +316,7 @@ class SoftwarePermissions(TestCase):

        response = client.patch(url, data={'software': 'software'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_software_auth_change_no_permission_denied(self):
@ -420,11 +412,7 @@ class SoftwarePermissions(TestCase):

        response = client.delete(url, data={'software': 'software'})

-        assert (
-            response.status_code == 302
-            or
-            response.status_code == 403
-        )
+        assert response.status_code == 302 and response.url.startswith('/account/login')


    def test_software_auth_delete_no_permission_denied(self):
--- a/app/itam/views/device.py
+++ b/app/itam/views/device.py
@ -1,7 +1,6 @@
 import json
 import markdown

-# from django.contrib.auth.decorators import permission_required
 from django.contrib.auth import decorators as auth_decorator
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.db.models import Q